From 1f923ae71d44d879f1d9d8f7e6abc4796c2fbad1 Mon Sep 17 00:00:00 2001
From: Mondo Diaz <armando.m.diaz@boeing.com>
Date: Fri, 16 Jan 2026 21:28:30 +0000
Subject: [PATCH] Fix auth tests to not invalidate integration_client session

Password change tests were using the admin account, which invalidated
all admin sessions including the shared integration_client. Now all
password change tests create and use dedicated test users, keeping
the admin session intact for other tests.

Tests updated:
- test_change_password_success
- test_change_password_wrong_current
- test_password_too_short_on_change
---
 backend/tests/integration/test_auth_api.py | 62 +++++++++++++++++-----
 1 file changed, 48 insertions(+), 14 deletions(-)

diff --git a/backend/tests/integration/test_auth_api.py b/backend/tests/integration/test_auth_api.py
index b44c2fd..13e5259 100644
--- a/backend/tests/integration/test_auth_api.py
+++ b/backend/tests/integration/test_auth_api.py
@@ -107,21 +107,37 @@ class TestAuthMe:
 
 
 class TestAuthChangePassword:
-    """Tests for change password endpoint."""
+    """Tests for change password endpoint.
+
+    Note: These tests use dedicated test users instead of admin to avoid
+    invalidating the integration_client session (which uses admin).
+    """
 
     @pytest.mark.integration
     def test_change_password_success(self, auth_client):
         """Test successful password change."""
-        # Login first
+        # Login as admin to create a test user
         auth_client.post(
             "/api/v1/auth/login",
             json={"username": "admin", "password": "changeme123"},
         )
+        test_username = f"pwchange_{uuid4().hex[:8]}"
+        auth_client.post(
+            "/api/v1/admin/users",
+            json={"username": test_username, "password": "oldpassword123"},
+        )
+
+        # Login as test user
+        auth_client.cookies.clear()
+        auth_client.post(
+            "/api/v1/auth/login",
+            json={"username": test_username, "password": "oldpassword123"},
+        )
 
         # Change password
         response = auth_client.post(
             "/api/v1/auth/change-password",
-            json={"current_password": "changeme123", "new_password": "newpassword123"},
+            json={"current_password": "oldpassword123", "new_password": "newpassword123"},
         )
         assert response.status_code == 200
 
@@ -129,32 +145,37 @@ class TestAuthChangePassword:
         auth_client.cookies.clear()
         response = auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": test_username, "password": "oldpassword123"},
         )
         assert response.status_code == 401
 
         # Verify new password works
         response = auth_client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "newpassword123"},
+            json={"username": test_username, "password": "newpassword123"},
         )
         assert response.status_code == 200
 
-        # Reset password back to original for other tests
-        reset_response = auth_client.post(
-            "/api/v1/auth/change-password",
-            json={"current_password": "newpassword123", "new_password": "changeme123"},
-        )
-        assert reset_response.status_code == 200, "Failed to reset admin password back to default"
-
     @pytest.mark.integration
     def test_change_password_wrong_current(self, auth_client):
         """Test password change with wrong current password."""
-        # Login first
+        # Login as admin to create a test user
         auth_client.post(
             "/api/v1/auth/login",
             json={"username": "admin", "password": "changeme123"},
         )
+        test_username = f"pwwrong_{uuid4().hex[:8]}"
+        auth_client.post(
+            "/api/v1/admin/users",
+            json={"username": test_username, "password": "password123"},
+        )
+
+        # Login as test user
+        auth_client.cookies.clear()
+        auth_client.post(
+            "/api/v1/auth/login",
+            json={"username": test_username, "password": "password123"},
+        )
 
         response = auth_client.post(
             "/api/v1/auth/change-password",
@@ -443,14 +464,27 @@ class TestSecurityEdgeCases:
     @pytest.mark.integration
     def test_password_too_short_on_change(self, auth_client):
         """Test that short passwords are rejected when changing password."""
+        # Create test user
         auth_client.post(
             "/api/v1/auth/login",
             json={"username": "admin", "password": "changeme123"},
         )
+        test_username = f"shortchange_{uuid4().hex[:8]}"
+        auth_client.post(
+            "/api/v1/admin/users",
+            json={"username": test_username, "password": "password123"},
+        )
+
+        # Login as test user
+        auth_client.cookies.clear()
+        auth_client.post(
+            "/api/v1/auth/login",
+            json={"username": test_username, "password": "password123"},
+        )
 
         response = auth_client.post(
             "/api/v1/auth/change-password",
-            json={"current_password": "changeme123", "new_password": "short"},
+            json={"current_password": "password123", "new_password": "short"},
         )
         assert response.status_code == 400
         assert "at least 8 characters" in response.json()["detail"]